USAA Federal Savings Bank v. PLS Financial Services, Inc. et al
Filing
42
OPINION AND ORDER. For the foregoing reasons, the Court grants PLS' motion to dismiss 28 . The Court dismisses the negligence claim with prejudice and the negligence per se and ICFA claims without prejudice. Signed by the Honorable Sara L. Ellis on 5/30/2017. Mailed notice(rj, )
<![CDATA[
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
USAA FEDERAL SAVINGS BANK,
Plaintiff,
v.
PLS FINANCIAL SERVICES, INC., PLS
GROUP, INC., and THE PAYDAY LOAN
STORE OF ILLINOIS, INC.,
Defendants.
)
)
)
)
)
)
)
)
)
)
)
No. 16 C 7911
Judge Sara L. Ellis
OPINION AND ORDER
After Plaintiff USAA Federal Savings Bank (“USAA”) lost over $3,000,000 in a
fraudulent check cashing scheme, USAA filed suit against Defendants PLS Financial Services,
Inc., PLS Group, Inc., and The Payday Loan Store of Illinois, Inc. (collectively, “PLS”),
claiming PLS acted negligently in protecting USAA members’ financial information so as to
allow third parties to create fraudulent checks with that information, that PLS’ negligence can be
established based on the per se violation of various state and federal statutes, and that PLS
violated the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 Ill.
Comp. Stat. 505/1 et seq. PLS has moved to dismiss USAA’s first amended complaint. Because
no common law duty exists to safeguard personal information under Illinois law, the Court
dismisses USAA’s negligence claim. And because USAA effectively abandons its negligence
per se claim in response to PLS’ motion to dismiss, the Court dismisses that claim as well.
Finally, the Court dismisses USAA’s ICFA claim because USAA has not adequately alleged that
the data breach affected its Illinois members or that the underlying unfair conduct took place
primarily in Illinois.
BACKGROUND1
USAA provides banking services to members and veterans of the United States military.
PLS, through the three individually named Defendants, provides check cashing and payday
lending services at approximately 300 retail locations in eleven states, including Illinois. The
individual Defendants share common directors, officers, and office locations, with centralized
recordkeeping and computer systems, and have similar business practices. PLS is not a bank and
does not provide bank accounts to its customers. Instead, PLS charges customers a fee to cash
checks, obtain money orders, and use other financial services.
In the course of doing business, PLS cashes checks drawn on USAA. In cashing these
checks, as with any other checks, PLS obtains certain information about the drawer of the check
and the bank on which the check is drawn from the face of the check, including the drawer’s
name, the check number, account number, bank routing number, drawer’s signature, and MICR
information.2 PLS makes an electronic copy of the check before forwarding the check to the
drawer’s bank for payment.
In October 2012, the United States and PLS agreed to settle a suit brought by the United
States against PLS in which the United States alleged that PLS did not properly secure its
customers’ personal information. The stipulated final injunction required PLS to develop a
comprehensive information security program to protect the security, confidentiality, and integrity
of consumers’ personal information, including consumers’ names, addresses, and financial
1
The facts in the background section are taken from USAA’s first amended complaint and the exhibits
attached thereto and are presumed true for the purpose of resolving PLS’ motion to dismiss. See Virnich
v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011); Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO v. Exelon
Corp., 495 F.3d 779, 782 (7th Cir. 2007).
2
MICR stands for magnetic ink character recognition. The MICR information contains certain encoded
information used to verify the legitimacy of checks.
2
institution account numbers. PLS also agreed to take reasonable measures to protect against
unauthorized access to or use of such information.
Problems with unauthorized access to PLS customers’ personal information continued,
however. Specifically, an unidentified female PLS employee provided third parties with access
to PLS’ computer systems, which allowed these third parties to copy check images and produce
counterfeit checks based off those images. The checks ranged from between $5 and $10,000.
The third parties then used these counterfeit checks, which included checks drawn on USAA, to
obtain money through various schemes. The payor banks on the counterfeit checks, including
USAA, ultimately bore the loss because the checks were unauthorized, meaning the members on
whose accounts the checks were drawn could not be held liable for them. USAA has discovered
over 2,000 original checks from its members that were cashed at PLS and subsequently
counterfeited, causing USAA to incur over $3,000,000 in damages.
In October 2014, USAA notified PLS of the issue and requested help in coordinating an
investigation into the counterfeiting. USAA indicated it had noticed most of the checks that
were subsequently counterfeited had been cashed at PLS locations in Texas, Arizona, and
California and subsequently deposited through a bank in Rosemont, Illinois. PLS responded that
it would refer the matter to its general counsel.
LEGAL STANDARD
A motion to dismiss under Rule 12(b)(6) challenges the sufficiency of the complaint, not
its merits. Fed. R. Civ. P. 12(b)(6); Gibson v. City of Chicago, 910 F.2d 1510, 1520 (7th Cir.
1990). In considering a Rule 12(b)(6) motion to dismiss, the Court accepts as true all wellpleaded facts in the plaintiff’s complaint and draws all reasonable inferences from those facts in
the plaintiff’s favor. AnchorBank, FSB v. Hofer, 649 F.3d 610, 614 (7th Cir. 2011). To survive
3
a Rule 12(b)(6) motion, the complaint must not only provide the defendant with fair notice of a
claim’s basis but must also be facially plausible. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S. Ct.
1937, 173 L. Ed. 2d 868 (2009); see also Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.
Ct. 1955, 167 L. Ed. 2d 929 (2007). “A claim has facial plausibility when the plaintiff pleads
factual content that allows the court to draw the reasonable inference that the defendant is liable
for the misconduct alleged.” Iqbal, 556 U.S. at 678.
ANALYSIS
I.
Negligence Claims
A.
Existence of a Duty
To succeed on its negligence claim, USAA must establish that (1) PLS owed USAA a
duty, (2) PLS breached that duty, and (3) PLS’ breach proximately caused USAA injury. Rhodes
v. Ill. Cent. Gulf R.R., 665 N.E.2d 1260, 1267, 172 Ill. 2d 213, 216 Ill. Dec. 703 (1996). USAA
contends that PLS owed USAA a general duty of reasonable care to avoid causing foreseeable
harm to USAA and, more specifically, a duty to safeguard financial information. But PLS
claims that no such duty exists under Illinois law. The existence of a duty under Illinois law is a
question of law. Simpkins v. CSX Transp., Inc., 965 N.E.2d 1092, 1096, 2012 IL 110662, 358
Ill. Dec. 613 (2012).
USAA relies on the Illinois Supreme Court’s decision in Simpkins to argue that PLS had
a duty to exercise reasonable care to avoid causing foreseeable harm to USAA in that PLS
should have taken steps to prevent unauthorized access to its database of financial information.
See id. at 1097 (“[E]very person owes a duty of ordinary care to all others to guard against
injuries which naturally flow as a reasonably probable and foreseeable consequence of an act,
and such a duty does not depend upon contract, privity of interest or the proximity of
4
relationship, but extends to remote and unknown persons.” (quoting Widlowski v. Durkee Foods,
Div. of SCM Corp., 562 N.E.2d 967, 968, 138 Ill. 2d 369, 150 Ill. Dec. 164 (1990))). But
Simpkins did not establish a “duty to the world at large” and instead limited the duty to one
bounded by four factors: “(1) the reasonable foreseeability of the injury, (2) the likelihood of the
injury, (3) the magnitude of the burden of guarding against the injury, and (4) the consequences
of placing that burden on the defendant.” Id. Although these general guideposts are helpful,
here, the Court more narrowly considers the specific contours of the duty USAA claims PLS
allegedly breached in its first amended complaint—that of safeguarding allegedly confidential
financial information. See Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL
292947, at *5–6 (N.D. Ill. Jan. 21, 2015) (refusing to consider plaintiff’s argument that a more
general “ordinary care standard” applied where plaintiff based her negligence claim on
defendant’s “failure to exercise reasonable care and caution in safeguarding and protecting”
personal information).
Although the Illinois Supreme Court has not opined on the issue, the Illinois Appellate
Court has refused to create “a new legal duty beyond legislative requirements” to safeguard an
individual’s personal information or protect it from disclosure. Cooney v. Chicago Pub. Schs.,
943 N.E.2d 23, 28–29, 407 Ill. App. 3d 358, 347 Ill. Dec. 733 (2010). Although Cooney
involved the disclosure of employees’ health insurance information, in addition to names,
addresses, and social security numbers, the same analysis extends to the disclosure of financial
information. See Landale Signs & Neon, Ltd. v. Runnion Equip. Co., No. 16-cv-7619, 2016 WL
7409916, at *3 (N.D. Ill. Dec. 22, 2016) (applying Cooney to find no duty to safeguard another
party’s confidential information with respect to claim concerning fraudulent wiring of payment
5
to third party);3 Cmty. Bank of Trenton v. Schnuck Markets, Inc., --- F. Supp. 3d ----, 2016 WL
5409014, at *12 (S.D. Ill. Sept. 28, 2016) (refusing to recognize a duty to protect customers’
personal financial information, noting that “the legislature could create a duty to safeguard
personal data if it felt it appropriate to do so, and in light of the recent uptick in data breach cases
it may well do so, but in the absence of such legislation, the Court will not recognize a new duty
between two sophisticated parties”). Nonetheless, USAA argues that a heightened requirement
applies to financial institutions, which must protect their customers’ confidential information
from identity theft. See Shames-Yeakel v. Citizens Fin. Bank, 677 F. Supp. 2d 994, 1008 (N.D.
Ill. 2009) (finding that, under Indiana law, a bank “has a duty not to disclose information
concerning one of its customers unless it is to someone who has a legitimate public interest” and
so “must certainly employ sufficient security measures to protect their customers’ online
accounts” (citation omitted)). But Shames-Yeakel applied Indiana law, and USAA has provided
no cases suggesting that a similar duty exists under Illinois law.4 USAA also argues that even
though PLS is not a bank, a bank’s duties of care apply equally to PLS because PLS offers check
3
The plaintiff in Landale Signs sought reconsideration of the court’s decision finding no duty to
safeguard plaintiff’s confidential information. The court reiterated its conclusion that Illinois law does
not recognize such a duty, even where the defendant has prior knowledge of a data breach, creates a
situation conducive to a data breach, and the injury was foreseeable. See Landale Signs & Neon, Ltd. v.
Runnion Equip. Co., No. 16-cv-7619, 2017 WL 1208506, at *3 (N.D. Ill. Apr. 3, 2017).
4
The Shames-Yeakel court’s statement that Indiana would recognize a negligence claim for a data breach
by a bank has been questioned as unsupported and contrary to the Seventh Circuit’s decision in Pisciotta
v. Old National Bancorp, where the Seventh Circuit stated that “[h]ad the Indiana legislature intended that
a cause of action should be available against a database owner for failing to protect adequately personal
information, we believe that it would have made some more definite statement of that intent.” 499 F.3d
629, 637 (7th Cir. 2007); see In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 1004–05 (N.D.
Cal. 2016) (noting that Shames-Yeakel has not been relied on for the proposition “that a bank’s duty not to
disclose must include a duty to protect customers’ personal information”). And while USAA cites
additional cases recognizing a duty to exercise reasonable care in safeguarding financial information,
none of those cases apply Illinois law. See In re: The Home Depot, Inc., Customer Data Sec. Breach
Litig., 1:14-md-2583-TWT, 2016 WL 2897520, at *3–4 (N.D. Ga. May 18, 2016) (applying Georgia
law); In re Target Corp. Customer Data Sec. Breach Litig., 64 F. Supp. 3d 1304, 1309–10 (D. Minn.
2014) (applying Minnesota law); Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d
421, 426 (5th Cir. 2013) (applying New Jersey law).
6
cashing services, relying on Travelers Casualty & Surety Co. of America v. Wells Fargo Bank
N.A., 374 F.3d 521, 525–27 (7th Cir. 2004). While the Travelers court did extend the duty to
“exercise due care to make sure that the drawer (the third party) intended the depositor to receive
the drawer’s money” to “other financial institutions that perform bank-type services,” id., the
court said nothing about imposing a duty to safeguard personal information, the duty at issue
here. Therefore, because Illinois does not recognize a common law duty to safeguard personal
information, USAA cannot establish its claim for negligence against PLS and so the Court
dismisses that claim with prejudice. See Landale Signs, 2016 WL 7409916, at *3; Cooney, 943
N.E.2d at 29.
B.
Negligence Per Se
USAA purports to bring a claim for negligence per se, setting forth various statutes in the
first amended complaint that PLS allegedly violated. PLS argues that USAA has not alleged
facts to demonstrate that PLS violated any of these cited statutes. Setting aside the issue of
whether any of the statutes cited give rise to a pure negligence per se claim or merely provides
for the creation of a duty of care where none otherwise exists at common law, see Abbasi ex rel.
Abbasi v. Paraskevoulakos, 718 N.E.2d 181, 186, 187 Ill. 2d 386, 240 Ill. Dec. 700 (1999)
(explaining that “the violation of a statute is not negligence per se, which refers to strict liability,
but rather only prima facie evidence of negligence, unless the legislature clearly intends to
impose strict liability” (citations omitted)), USAA did not respond to PLS’ arguments
concerning its negligence per se claim. USAA’s failure to respond effectively concedes the
issue, and so the Court dismisses the negligence per se claim without prejudice. See Bonte v.
7
U.S. Bank, N.A., 624 F.3d 461, 466 (7th Cir. 2010) (“Failure to respond to an argument . . .
results in waiver.”).5
II.
ICFA
To state an ICFA claim, USAA must allege (1) a deceptive or unfair act or practice by
PLS, (2) PLS’ intent that USAA rely on the deceptive or unfair practice, (3) the deceptive or
unfair practice occurred in the course of conduct involving trade or commerce, and (4) PLS’
deceptive or unfair practice caused USAA actual damage. Wigod v. Wells Fargo Bank, N.A.,
673 F.3d 547, 574 (7th Cir. 2012); Kim v. Carter’s Inc., 598 F.3d 362, 365 (7th Cir. 2010).
USAA may recover for either deceptive or unfair conduct. Robinson v. Toyota Motor Credit
Corp., 775 N.E.2d 951, 960, 201 Ill. 2d 403, 266 Ill. Dec. 879 (2002); Siegel v. Shell Oil Co.,
612 F.3d 932, 935 (7th Cir. 2010) (“A plaintiff may allege that conduct is unfair under ICFA
without alleging that the conduct is deceptive.”). Although USAA appears to pursue a claim for
both deceptive and unfair conduct in the first amended complaint, in response to PLS’ motion to
dismiss, USAA addresses only an unfair practices claim and so the Court does the same. An
unfair practices claim need not meet Rule 9(b)’s heightened pleading standard because it is not
based on fraud. Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 737 (7th Cir. 2014).
First, USAA argues that by violating the Illinois Personal Information Protection Act (the
“PIPA”), 815 Ill. Comp. Stat. 530/1 et seq., PLS has per se committed a violation of ICFA. See
815 Ill. Comp. Stat. 505/2Z; 815 Ill. Comp. Stat. 530/20. But PLS argues that USAA has not
sufficiently alleged a PIPA violation. Section 10 of the PIPA provides that “[a]ny data collector
that owns or licenses personal information concerning an Illinois resident shall notify the
5
PLS also argues that the negligence claims should be dismissed because they are barred by the economic
loss doctrine and because USAA has not identified the specific actions taken by each of the three
individual Defendants. Because the Court dismisses the claims on alternative grounds, it need not reach
these arguments at this time.
8
resident at no charge that there has been a breach of the security of the system data following
discovery or notification of the breach.” 815 Ill. Comp. Stat. 530/10(a). PLS argues that USAA
has not alleged that the data breach affected any Illinois residents or that PLS discovered a
breach affecting an Illinois resident. Alternatively, to the extent the first amended complaint can
be read to imply a data breach affecting Illinois residents, PLS contends that USAA, which is not
an Illinois resident, does not have standing to allege a violation of the PIPA on behalf of any of
its Illinois members. Although USAA argues that the Court can infer that PLS’ conduct in not
securing its database affected Illinois residents, the first amended complaint says nothing about
the residency of the affected USAA members. An email from USAA to PLS notifying PLS of
the counterfeiting scheme suggests that the affected USAA members had written checks cashed
at PLS locations in Texas, Arizona, and California, with the only connection to Illinois being that
PLS then deposited these checks at a bank in Illinois. See Doc. 22-3. But this, along with the
copy of a USAA member’s check showing its deposit in Illinois, says nothing about the
residency of the affected USAA members and the email instead could be read to suggest that the
breach affected USAA members mainly residing outside of Illinois. The Court thus cannot infer,
as USAA requests, that the breach affected Illinois residents so as to make the PIPA applicable,
requiring the Court to dismiss the ICFA claim to the extent it is premised on a violation of the
PIPA without prejudice.
Alternatively, USAA argues that it can proceed on an unfair practices claim. Conduct is
considered unfair if it (1) violates public policy, (2) is “so oppressive that the consumer has little
choice but to submit,” or (3) causes consumers substantial injury. Siegel, 612 F.3d at 935.
Additionally, because USAA is not a consumer, it must establish that the conduct complained of
generally affects consumer protection concerns. Thrasher-Lyon v. Ill. Farmers Ins. Co., 861 F.
9
Supp. 2d 898, 911–12 (N.D. Ill. 2012). As with USAA’s more specific ICFA claim based on
violation of the PIPA, USAA’s unfair practices claim fails because ICFA has a limited
extraterritorial reach, applying to claims “only if the circumstances relating to the alleged
fraudulent transaction occurred mostly in Illinois.” Crichton v. Golden Rule Ins. Co., 576 F.3d
392, 396 (7th Cir. 2009) (citing Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 852–
53, 216 Ill. 2d 100, 296 Ill. Dec. 448 (2005)). The fact that PLS is headquartered in Illinois does
not confer USAA with standing to pursue its ICFA claim because the Court instead looks to
where the circumstances underlying the alleged unfair or fraudulent activity arose. Id. The
Court cannot infer from the allegations of the first amended complaint that the allegedly unfair
conduct occurred in Illinois. Instead, USAA’s attached email suggests that the conduct occurred
in Texas, Arizona, and California, with the only link to Illinois being the fact that PLS has its
headquarters here, meaning that checks received by PLS ultimately were deposited through a
bank in Rosemont, Illinois. The location of these check deposits is not enough to extend ICFA’s
reach to USAA’s alleged ICFA unfair practices claim, where no allegations suggest that the
breach occurred in Illinois or affected Illinois residents. Without more, the Court also dismisses
this aspect of USAA’s ICFA claim without prejudice.
CONCLUSION
For the foregoing reasons, the Court grants PLS’ motion to dismiss [28]. The Court
dismisses the negligence claim with prejudice and the negligence per se and ICFA claims
without prejudice.
Dated: May 30, 2017
______________________
SARA L. ELLIS
United States District Judge
10
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
